mschap auth for multiple realms off different domain ctlrs?
I've inherited a system which now needs changed and I can't seem to make it do it! I'm sure it can, but I'm just not familiar enough with FreeRadius to know how to coax it into doing what I need. Its a fairly old system, FreeRADIUS Version 1.1.3 Remote users connect to the host using windows VPN client, hence MS-CHAPv2, call terminates on mpd running on freebsd which auths from using freeradius on the same host. That all works. Problem is, the client has been like the borg and assimilated another company and needs to support their roaming users too. so now users log in as user and the request is done via ntlm request to their primary domain controller 10.1.1.1 in realm company1.local This is configured in krb5.conf as far as I can determine. FreeRadius also looks for a specific group membership with "--require-membership-of=company1-vpn-users" I now need to support (additionally) another set of users logging in as otheruser who will need to specify their realm as company2 I can get freeradius to "see" otheruser@company2.local and it splits the username and realm out (as seen with radiusd -X) but what I can't figure out is how to tell it to still use the "local" auth but to know that it now has to use "company2.local" for its realm, to ask 10.1.1.3 instead of 10.1.1.1, and to look for group membership of "company2-vpn-users". I thought I could perhaps use a variable and set that within a specific realm{} definition during auth, but I can't see how to define/use variables other than attributes offered or returned. I have used ntlm_auth --request-nt-key --username=user --password=xxx --domain=COMPANY1.LOCAL --require-membership-of=COMPANY1-VPN-USERS ntlm_auth --request-nt-key --username=otheruser --password=xxx --domain=COMPANY2.LOCAL --require-membership-of=COMPANY2-VPN-USERS and I get the right answers, so looks like the settings in my krb5.conf are working, but I just can't see how to get freeradius to make the request this way. (Yes, I know the correct request will use --challenge= and --nt-response= but I'm "assuming" if I can get the rest of the request right, it'll "just work") Any help please? I've googled and tried more things than I can document here without driving you nuts! RossW
I have used
ntlm_auth --request-nt-key --username=user --password=xxx --domain=COMPANY1.LOCAL --require-membership-of=COMPANY1-VPN-USERS
ntlm_auth --request-nt-key --username=otheruser --password=xxx --domain=COMPANY2.LOCAL --require-membership-of=COMPANY2-VPN-USERS
and I get the right answers, so looks like the settings in my krb5.conf are working, but I just can't see how to get freeradius to make the request this way.
(Yes, I know the correct request will use --challenge= and --nt-response= but I'm "assuming" if I can get the rest of the request right, it'll "just work")
Create two mschap module instances, mschap_co1 with first ntlm_auth line and mschap_co2 with second one. Then create redundancy inside Auth-Type MS-CHAP (default server for mschap requests, inner-tunnel for peap): Auth-Type MS-CHAP { if(Realm == "company1.local") { mschap_co1 } elsif(Realm == "company2.local") { mschap_co2 } else { mschap (or reject if you don't want to try users file, sql, ldap or other accounts) } } Ivan Kalik Kalik Informatika ISP
On Tue, 28 Jul 2009, Ivan Kalik wrote: Thankyou for the reply and suggestion. I've been interstate and just back now to try it.
Create two mschap module instances, mschap_co1 with first ntlm_auth line and mschap_co2 with second one.
ok.
Then create redundancy inside Auth-Type MS-CHAP (default server for mschap requests, inner-tunnel for peap):
Auth-Type MS-CHAP { if(Realm == "company1.local") { mschap_co1 } elsif(Realm == "company2.local") { mschap_co2 } else { mschap (or reject if you don't want to try users file, sql, ldap or other accounts) } }
When I do this, stop radiusd and re-run with -X, I get: reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf /usr/local/etc/raddb/radiusd.conf[1948]: Line is not in 'attribute = value' format Errors reading radiusd.conf I then commented out most to check for stupid operator errors: # new MSCHAP authentication. # auths differently depending on the realm # If none of the defined realms, use standard Auth-Type MS-CHAP { # if(Realm == "aae.local") { mschap_co1 # } # elseif(Realm == "lla.local") { mschap_co2 # } # else { # mschap # } } This at least got further... but not much. Here's the -X output: # /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) radiusd.conf[723] Failed to link to module 'rlm_mschap_co1': Shared object "rlm_mschap_co1.so" not found, required by "radiusd" radiusd.conf[1949] Unknown module "mschap_co1". radiusd.conf[1949] Failed to parse "mschap_co1" entry. bash-2.05b# I'm simply not familiar enough with FreeRadius to know where to go with this - I learned enough to set it up many years ago on my own systems, it's been rock-solid ever since and I guess I've just forgotten it all. This particular configuration was done by someone else and is quite different to my own. Any (further) help appreciated.
radiusd.conf[723] Failed to link to module 'rlm_mschap_co1': Shared object "rlm_mschap_co1.so" not found, required by "radiusd" radiusd.conf[1949] Unknown module "mschap_co1". radiusd.conf[1949] Failed to parse "mschap_co1" entry.
Did you create 3 instances of mschap using aliases like below? mschap { . . . } mschap mschap_co1 { . . } mschap mschap_co2 { . . }
participants (3)
-
Garber, Neal -
Ivan Kalik -
Ross Wheeler